Medicaid Program Integrity

Medicaid is a large, high-risk program, serving millions of Americans. To ensure it operates properly, federal regulations set out numerous program integrity requirements. The Government Accountability Office considers Medicaid high risk due to:

• Its diverse and expanding population of clients and providers
• Large overall payment sums
• Complex billing and coding systems

The Centers for Medicare and Medicaid Services (CMS) provides the federal regulatory framework for Medicaid program integrity. CMS attributed significant amounts of improper payments during 2019 to two primary reasons:

• First, insufficient documentation to verify client eligibility
• Second, state Medicaid agencies did not comply with federal requirements for screening and enrolling providers

Overall, these issues produced a nationwide Medicaid improper payment rate of 14.9 percent. This means approximately one in seven Medicaid payments lacked sufficient documentation or displayed some sort of error.

As Washington’s state Medicaid agency, HCA must oversee all program integrity efforts, including those at sister state agencies. Two such agencies – the Department of Social and Health Services (DSHS) and the Department of Children, Youth, and Families (DCYF) – spent more than $4 billion total in Medicaid funding in fiscal year 2020. Oversight forms a safety net to ensure policies are implemented and funding is spent as intended. Oversight tasks can include reviewing reports, monitoring results and implementing corrective action plans when necessary.

In the past, HCA’s organizational structure for program integrity efforts shifted repeatedly in response to concerns about decentralization, accountability and changing operations. The final organizational change, in January 2021, integrated provider enrollment with other crucial program integrity efforts. Provider enrollment is an important aspect of program integrity. Staff check federal exclusion lists to ensure providers with known histories of fraud, waste or abuse do not provide services for Medicaid. By moving provider enrollment to the new Division, HCA executives addressed a recommendation by CMS aimed at reducing the fragmented responsibility for program integrity.

The audit found HCA’s agencywide strategic plan makes only limited mention of program integrity. Furthermore, while the agencywide plan includes mention of provider enrollment and data analytics for program integrity, it does not set specific objectives for any program integrity effort. Clearly stating those objectives in the plan would emphasize the importance of program integrity to everyone in the agency.

HCA executives conduct some oversight of program integrity efforts. However, they can improve their monitoring through better use of performance measures. Current meetings and committees are insufficient to verify the agency is meeting all program integrity requirements. HCA has some program integrity measures but lacks others recommended by experts and used by other states. At present, Division managers actively monitor only one measure, concerning deadlines for draft audit reports. The lack of good performance measures also makes it harder to demonstrate success to the Legislature and other stakeholders.

Federal regulations require HCA to oversee program integrity efforts at sister state agencies: DSHS and DCYF. HCA executive leadership formalized oversight responsibilities in agency policy and interagency agreements, and assigned this responsibility to the Division.

However, the Division has not overseen program integrity efforts at sister state agencies. Nonetheless, CMS expects sound fiscal stewardship of Medicaid funding. The audit review of other states’ practices found useful examples of what this could look like. DSHS and DCYF said they have processes in place to ensure they spend Medicaid funding properly. However, the Division has not overseen those program integrity efforts for several reasons:

• Division managers have not assigned oversight of sister state agencies to any of the units
• The Division lacks a Statewide Medicaid Fraud and Abuse Prevention Plan outlining roles and responsibilities across key partners
• Change, transition and the lack of a Plan left managers uncertain of their oversight responsibilities

For example, the audit found that instead of a single plan, HCA has multiple documents. Various agreements outline program integrity roles and responsibilities, but were created at different times and without reference to each other. The documentation that does exist fails to address several federal requirements, to include all program integrity oversight responsibilities, and to describe current practices.

Managed care changed how Medicaid pays for services, requiring a different approach to program integrity efforts. Formerly, the Medicaid agency simply checked to make sure it paid the right amount, to the right provider, for the right service for an eligible client. Under managed care, managed care organizations (MCOs) act as contracted intermediaries between state Medicaid agencies and providers. The contracts spell out what each party must do to ensure program integrity. They also detail the consequences MCOs face if they do not live up to the requirements.

The Division is establishing ways to hold MCOs accountable for their role in program integrity efforts. For example, after the Division audited data used to set monthly payment rates, HCA executives sanctioned the five MCOs a total of nearly $1 million. Also, the Division requires MCOs to regularly report on their program integrity efforts. HCA staff discuss the results with the organizations on a quarterly basis. In addition, HCA recently updated the contract to allow additional financial penalties for failure to fulfill program integrity requirements.

However, the Division could improve its oversight of MCOs by directly auditing providers and recovering overpayments. In addition to auditing encounter data, the Division should also audit providers contracted with the MCOs. The Division started reviewing providers contracted with MCOs but never initiated formal audits due to uncertainty as to what to do with the results. Also, Division managers said they lacked guidance on how to handle identified overpayments. These processes are currently being finalized, with Division managers included as decision makers.

The Division can improve the ways it generates and evaluates the incoming leads that become reviews, audits and investigations of Medicaid providers. These leads include complaints and referrals of alleged fraud, waste or abuse concerning Medicaid contractors, providers, clients or programs. The Division receives leads from members of the public, MCOs and sister state agencies. It also identifies leads through its own data analytics.

Other states’ integrity programs provide examples of how to implement expert recommendations. These strategies include:

• Conduct risk assessments or evaluate leads with established risk factors
• Rely on data analytics to generate leads
• Conduct a preliminary review of incoming leads. This review might include analyzing data about the lead and reviewing records like billing histories.
• Determine the credibility of all allegations of potential fraud before referring to the state’s Medicaid Fraud Control Unit

Florida’s integrity program, for example, reported that shifting to a risk-based approach for identifying suspicious activity resulted in a significant increase in referrals to law enforcement.

The Division does not use risk assessments or formally established risk factors to guide its audit plans. While staff look for outliers and trends, only two of four units rely on proactive data analytics to develop workplans. The Division recently established a team to review and prioritize leads, but Division managers had different perspectives on whether the team consistently received necessary data. As the Division does not determine the credibility of fraud allegations for MCOs and DSHS, it cannot take appropriate action for many situations that merit scrutiny.

Our audit has identified a number of opportunities for HCA to improve both its own program integrity efforts and its oversight of other entities’ efforts. HCA agrees with our recommendations and has already begun implementing them.

The audit recommends HCA executives improve overall oversight, strategic planning and performance measurement. It also recommends Division of Program Integrity managers improve:

• Strategic planning and performance measurement
• Oversight of program integrity at sister state agencies and MCOs
• Audit selection and assignment process within the Division